Google hit with €50m GDPR fine over ads breach

Google has been fined €50m (£44m) after it was found in breach of European Union GDPR rules over the ways the online tech giant’s ads are personalised.

French data regulator CNIL announced the fine today after an investigation found that Google was liable for "lack of transparency, inadequate information and lack of valid consent".

It is the first time the CNIL has handed such a big levy since the European-wide GDPR regulations came into force last year. It warned that Google’s transgressions are "still observed to date" and are not a one-off infringement.

An investigation was launched after group complaints from two privacy groups: None of Your Business and La Quadrature du Net. They alleged that Google did not have a valid legal basis to process user data for the personalisation of ads under the terms of GDPR.

Google gets consent from people when they use apps such as YouTube, Google Maps and search. But this process, the CNIL said, does not make the user aware of the extent of how the ads are personalised to them by using data collected across these services.

Furthermore, when Google users create an account, they are presented with a default option in the form of a pre-ticked box next to the statement: "I agree to the processing of my information as described above and further explained in the Privacy Policy." Broad consent such as this is forbidden under GDPR, the regulator explained.

The CNIL, therefore, judged that Google had not validly obtained users’ consent to personalise ads because people are not sufficiently informed about how the company uses their data, and nor is the consent that Google gathers "specific" or "unambiguous".

The watchdog added: "The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.

"Despite the measures implemented by Google (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations."

France’s data regulator handled the investigation, despite Google’s European headquarters being in Ireland, because the Irish authority did not have the power the make decisions over Android, the tech company’s operating system.

In a statement, Google said: "People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps."